b'                       U.S. Environmental Protection Agency \t                                                   11-P-0159\n                                                                                                            March 14, 2011\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                              Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Improvements Needed in EPA\xe2\x80\x99s Network\nWe sought to determine           Traffic Management Practices\nwhether the U.S.\nEnvironmental Protection          What We Found\nAgency (EPA) is effectively\nmanaging Agency resources        The Office of Environmental Information (OEI) does not have consistent, repeatable\nby implementing a                intrusion detection system monitoring practices in place, which inhibits EPA\xe2\x80\x99s ability\nmanagement control structure     to monitor unusual network activity and thus protect Agency systems and associated\nto monitor internal and          data. OEI also has not documented a methodology to aid in making decisions about\nexternal computer network        potentially unusual network traffic. The Federal Information Security Management\n                                 Act requires each agency head to provide information security protections\ntraffic.\n                                 commensurate with the risk and magnitude of the harm resulting from unauthorized\n                                 access, use, disclosure, disruption, modification, or destruction of Agency information\nBackground\n                                 systems. Additionally, the act states that the National Institute of Standards and\n                                 Technology shall prescribe standards and guidelines pertaining to federal information\nEPA spends approximately         systems. Agency network security program deficiencies greatly decrease the\n$160 million annually to         likelihood that consistent, repeatable results are produced in identifying threats to the\nsupport Agency network           Agency\xe2\x80\x99s network and increase the likelihood that potential threats will not be\noperations and infrastructure.   identified.\nWe believe this sum reflects\nthe importance placed on         OEI does not consistently conduct management oversight of contractor performance\nInternet connectivity and the    and reporting. In addition, key federally required security documents for EPA\xe2\x80\x99s Wide\ndegree to which Agency           Area Network (WAN) were not complete or accurate. Furthermore, the approved\noperations are now conducted     security plan had not been updated to reflect the current infrastructure and an\nelectronically. As new threats   associated authorization to operate was not issued prior to implementing the secondary\nassociated with the electronic   Internet connection. Office of Management and Budget Circular A-123 outlines\nexchange of information          management\xe2\x80\x99s responsibilities for establishing controls and performing oversight to\nemerge, information security     ensure activities are performed as management intends. The Agency cannot accurately\nhas become a greater concern.    depict the operating environment and implement a system that meets federal\nRecent information               requirements unless it can ensure that the security plan is complete, accurate, and\ntechnology audits continue to    approved.\nidentify weaknesses in the\nAgency\xe2\x80\x99s information              What We Recommend\ntechnology security program\nand information systems.         We recommend that the Director, Office of Technology Operations and Planning,\n                                 Office of Environmental Information, develop and implement comprehensive log\n                                 review policies and procedures, establish a management control process to review\n                                 contractor performance, and update and approve the WAN security plan and properly\nFor further information,         certify and accredit future significant WAN configuration changes prior to moving\ncontact our Office of\n                                 them into production. The Agency agreed with our recommendations.\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.                  Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report is not\n                                 available to the public.\n\x0c'